PATENT COOPERATION TREATY 

PCT 



INTERNATIONAL PRELIMINARY EXAMINATION^5Sf 

(PCT Article 36 and Rule 70) 



recd 3 0 AUG 2005 



pari 




Applicant's or agent's file reference 
CH920030006 



FOR FURTHER ACTION fee Notification of Transmittal of International 



hSSSb^ UaSS " 1CaUOn ( ' PC) mb °* CassificatJon and ,PC 



Priority date (dayAnonthfyear) 
30.05.2003 



Applicant 

INTERNATIONAL BUSINESS MACHINES CORPORATION 



etal. 



2. 



This REPORT consists of a total of 7 sheets, including this cover sheet 
This report is also accompanied by ANNEXED I « c h^ **u ^ 

been amended and are the basis forth! report £^!5EL2L the ^ ri P«on. claims and/br drawings which have 
ee u e . 1 6 and Section 607 of the Administrative Instructions ^VvS^^ made before this Authorit v 
These annexes consist of a total of 1 sheets. 



This report contains indications relating to the following items: 

Basis of the opinion 
Priority 

Certain documents cited 
Certain defects in the international application 
Certain observations on the international application 



I 




II 


□ 


III 


□ 


IV 


□ 


V 




VI 


□ 


VII 


□ 


VIII 


□ 



Date of submission of the demand 
02.12.2004 



Name and mailing address of the international 
preliminary examining authority: 

European Patent Office 
jSM D-80298 Munich 

MUl Tel. +49 89 2399 - 0 Tx: 523656 epmu d 
Fax: +49 89 2399 - 4465 P 



Date of completion of this report 

29.08.2005 
Authorized Officer 

Kopp, K 

Telephone No. +49 89 2399-7833 



(*) 



r orm 



PCT/JPEA/409 (Cover Sheet) (January 2004) 



INTERNATIONAL PRELIMINARY 
EXAMINATION REPORT 



Basis of the report 



International application No. PCT/IB 03>D5328 



ana are not annexe* to mis report since they do nofoSSin2er?o^s%'Se" TamSnSm "fit** 



Description, Pages 

1,3-13 
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Claims, Numbers 

1-22 

Drawings, Sheets 

1/4-4/4 



as originally filed 

filed with telefax on 07.07.2005 



as originally filed 



as originally filed 



These elements were evaliabie or furnished «o this Authority ,„ th e (Cowing language: , whioh is . 

O .he language of e transtafion furnished ,or the purposes o, «he internatlona, search (under Rule 23 1 ,b» 

□ thelenguage of publication of the international application (under Rule 48 3(b)) Ruls> 23 '' <"»■ 

bKKSS&ST*" "" *" PU ^ SeS - ""f — P—*i-y examination (under 

□ contained in the international application in written form. 

□ filed together with the international application in computer readable form 

□ furnished subsequently to this Authority in written form. 

□ furnished subsequently to this Authority in computer readable form 

D ~ ^ting does not go beyond the disclosure 

D JlSSESS^^ reC ° rd6d ln C — ter ~- torn, is identical to the written sequence 

4. The amendments have resulted in the cancellation of: 

□ the description, pages: 
D the claims, Nos.: 

□ the drawings, sheets: 
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Industrial applicability (IA) 
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Re Item V 

Reasoned statement under Rult» an oi^\m\ 
1 . Reference Is made to the following documents (D): 

01 : rooaZlorBr 0 ™ J ° HN A " ;LANCOPE INC W» a A UgU8t 

Sr A ' (POIRIER DANIEL EARL ET AL) 24 October 2002 

SSSSST " (REC ° URSE TEC HNOLO G ,ES INC) 31 October 2002 

D4: WO 02/03653 A (BRITISH TELECOMM iSOPPERA ANDREA m , „ 
January 2002 (2002-01-10) ur r-crw ANDREA (IT)) 1 0 

D5: US 2002/105910 A1 (BRANDON KEVIN WILLIAM FT A, > o . 

(2002-08-08) WILLIAM ET AL) 8 August 2002 

!• Claim 1 lacks an inventive step (Article 33(3) PCT). 

Document D1 , which is considered to represent th. m ~ . , 
for claim 1 , discloses insofar the subte« mJ? • , releVan, s,a,e of ,he a « 
subject-matter of claim 1 : sub ' e *™>tter is clear, according to the 

„ (page 6 , lines i4-iS^tmp ri r g ,n9 ~ in * he 

• .denting data traffic on the network (page eTnes 22 23V 

ZSXftZ ,raffiC S ° ^ J '"^ - -ok (page 

The subject-matter of claim 1 differ* from +h« ^- . 
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than inspecting a subset of the data traffic. 

the art ' 3 ° Omm0n deSlgn measure ^vious for a person skilled in 

respect of inventive step £«2L MM Pc£ Th reqU,r ~ °' ' he PCT in 
(e.g. "rerouting any dat traffic Z™ ^ d ' SC ' OSed in D2 " DS 
processing ^J^^ SSlSC^ ** 
the network" "Droviriinn =• r^«,* ♦ attack to an address on 

--.alert/..,^!^ 

indicative of the attack detected, o^ZeZZZZZir ** 
5. Certain defects in the international application 

5 - 1 J^srr^^x^^^*'^*-'*- 



the prior art dement Dltetoo I'laTdTnT ^ k "° Wn h c ° m »ina,ion f rom 
with the remaining ^ PCT) and 

6.3(b)(ii) PCT). included in the characterising part (Rule 

5 3 The relevant background art disclosed in the document D1 should h»v= k 
men«,oned and identified in the description (Rule 5/1(a)(H) PCT) 

6 - xzszz^zzr* app,ica,ion ' ie - ,he c,aims «° * — 

6.1 Although method claims 1 and 21 and apparatus Calms 8 and 15 have been 
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~ S T r ? md6pendent clalms - ^ey appear to relate effectively to the 
same subject-matter and to differ from each other only with regard toThe definition 

tJrn^ JeCt " m :f r ^ Wh,Ch Pr ° teCti0n is sou 9 ht and h respect of the 
termmology used for the features of that subject-matter. The aforementioned 
claims therefore lack conciseness. «*rorementioned 

6.2 The expressions 

"technical data" used in claim 20; 
• "the degree of network security achieved" used in claim 1 9- 

the turnover of said entity" used in claim 1 9- 
are vague and unclear and leave the reader in doubt as to the meanina of the 
techmca, features to which they refer, thereby rendering the deSon of thl 
subject-matter of said claims unclear. aerinmon of the 

6.3 The subject-matter of claim 7 is unclear, since the formulation "comorisina 
.nclud.ng ,n the warning message program code" is not clear C ° mPr,S ' ng 

6.4 The scope of protection sought for of claim 1 5 is unclear, since the data 
communions network is not defined per se but only speciL by its relationshio 

~ co i e :i y ; a p ir; ity of addresses for *> ^Z^t 

system and a th.rd entity "apparatus for detecting attacks on the network" in 

sasr ,ink be,ween ,he — « «* 

6.5 The scope of protection sought for of claim 16 is unclear, since it is not clear if tha 

z:r:LT ^ ,o perform a " °' ,he me,hod ^ <* « - ~ in 



6.6 An antecedent definition for the expressions 

"the warning message program code" in claim 7- 
"the warning message" in claim 14- 

• "the charge being billed", "said entity", "the size of the network" "the number 

o Z S S e c" the dreS T ' ? nUmb6r ° f aSS,9ned add ~»' ^ - "me" 
off data traffic , the number of attacks", the number of alerts" "the sianature 

of the identified attack", the volume of rerouted data traffic' "th7deore 6 of 
network security achieved", "the turnover of said ent^Z.t 

• "the attack-handling" in claim 20; ' 
is missing. 
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6.7 As explained below, some of the features In the apparatus claims 9,11 16 relate 

t t ™ me ! h , 0d t 0f , USin9 1 ^ aPParatUS rath6r than C,ear| y d6finin 9 the apparatus in 
erms of rts technical features. The intended limitations are therefore not clear 
from these claims: 

"inspects" in claim 9; 

"sends" in claim 1 1 ; 

"configures" in claim 16. 

6.8 The subject-matter of claim 1 3 is unclear, since it is not clear of how to assign a 
disinfection server to the disinfection address. However it is clear of how to assign 
the disinfection address to the disinfection server. 

6.9 The expression "preferably", used in claim 1 9 leads to doubts about the scope of 
protection (PCT Guidelines 5.40), because it is unclear if the features following 
this expression is part of the scope of protection sought for or not. 

6.1 0 The backreference of claim 5 leads to doubts about the scope of protection 
sought for: said claim is referenced to itself. 

6.1 1 According to Rule 6.4(c) PCT, all claims referring back to a single previous claim 
shall be grouped together, which is not the case for claims 1 7-20, which are 
referenced back on claim 1 . 
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processing system usually referred to as a router. In operation, the router directs inbound 
communication traffic from the Internet to specified IP addresses on the network. 
Similarly, the router directs outbound communication traffic from the network in the 
direction of specified IP addresses on the Internet. 

A problem faced by many ISPs is the increasing frequency of electronic attacks to the 
networks they operate. Such attacks include computer virus attacks and so-called "worm" 
attacks. Attacks of this nature introduce significant performance degradation in networks 
operated by ISPs. Infected systems connected to the network typically attempt to spread 
the infection within the network. Many users do not recognize that their systems are 
infected. It would be desirable to provide technology for triggering disinfection of such 
systems in the interests of increasing network performance. 

Summary of the Invention 

i 

In accordance with the present invention, there is now provided a method for detecting 
attacks on a data communications network having a plurality of addresses for assignment 
to data processing systems in the network, the method comprising: identifying data traffic 
on the network originating at any assigned address and addressed to any unassigned 
address; inspecting any data traffic so identified for data indicative of an attack; and, 
detection of data indicative of an attack, generating an alert signal. 
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The term "unassigned" herein is meant as covering an address that is not assigned to a 
physical device other than an apparatus for detecting an intrusion or generating an attack 
signature. In other words, the term unassigned is meant as covering an address which is 
free, i.e. not assigned to user systems. The apparatus that is designed to execute the 
method according to the invention will be the device those "unassigned" addresses are 
actually assigned to in order to make use of the invention. Those addresses are insofar 
unassigned as they are 
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